#VU30418 Information Exposure Through an Error Message in PostgreSQL - CVE-2014-8161
Published: January 27, 2020 / Updated: July 17, 2020
Vulnerability identifier: #VU30418
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2014-8161
CWE-ID: CWE-209
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
PostgreSQL
PostgreSQL
Software vendor:
PostgreSQL Global Development Group
PostgreSQL Global Development Group
Description
The vulnerability allows a remote authenticated user to gain access to sensitive information.
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
Remediation
Install update from vendor's website.
External links
- http://www.debian.org/security/2015/dsa-3155
- http://www.postgresql.org/about/news/1569/
- http://www.postgresql.org/docs/9.4/static/release-9-4-1.html
- http://www.postgresql.org/docs/current/static/release-9-0-19.html
- http://www.postgresql.org/docs/current/static/release-9-1-15.html
- http://www.postgresql.org/docs/current/static/release-9-2-10.html
- http://www.postgresql.org/docs/current/static/release-9-3-6.html